Skip to content

Dan-Nolan/Delegatecall-Proxy-Bug

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
contracts
contracts
 
 
test
test
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
hardhat.config.js
hardhat.config.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Delegatecall Proxy Bug

This repository focused on the vulnerability discovered by Trail of Bits on December 4th in the AAVE V2 Contracts. We'll focus on this vulnerability by writing a contract that would have exploited it!

To successfully pull off the attack we'll fork the mainnet at a block before AAVE initialized their contracts here and here.

Fortunately Hardhat makes it super easy to fork mainnet!

Getting Setup

There are a few steps to get setup here:

  • Install install Node.js
  • Download this repository locally
  • Open the command line and navigate to your local copy of this repository
  • Run npm install to download all the dependencies

Once you've successfully downloaded the dependencies, we'll need to setup our repository fork the mainnet!

Forking Mainnet

In order to fork mainnet, we'll be pointing this repository at an Alchemy API endpoint. To do this, you'll need to sign up for Alchemy, create a mainnet project and get your HTTP endpoint.

Once you've done this we'll use dotenv to store the endpoint in a local .env file that won't accidentally get committed! Since this package is already in your dependencies all you'll need to do is create a new .env file at the top level of the repository and add the following entry into it:

FORKING_URL=https://eth-mainnet.alchemyapi.io/v2/<YOUR_API_KEY>

Replacing <YOUR_API_KEY> with the API key from Alchemy.

Running Tests

The hardhat.config.js is already set up to point to a block before the vulnerability was fixed. All we'll need to do to run the exploit is run npx hardhat test. This will compile your contracts/Contract.sol file and provide it to our test/test.js file for testing!

You'll see in the test.js file we are deploying the Contract as well as the Destructor. The Contract will use the Destructor to self-destruct the lending pool and then return a successful return code on the lending pool delegate call.

If the test cases pass when you run npx hardhat test, then you've successfully destroyed the lending pool!

Check out the Trail of Bits Article to understand the rammifications of this attack, and what could have happened if it was exploited before they found it.

Thanks Trail of Bits!

About

An Exploit on the AAVE v2 Contract Vulnerability

blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/

Topics

security smart-contracts solidity

Resources

Readme
Activity

Stars

28 stars

Watchers

3 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages